Run ACL changes through an admin_cmd

admin/inc/class.admin_acl.inc.php

@@ -336,9 +336,10 @@ class admin_acl
 	 *
 	 * @param string|array $ids "$app:$account:$location" string used as row-id in list
 	 * @param int $rights =null null to delete, or new rights
+	 * @param Array $values =array() Additional values from UI
 	 * @throws Api\Exception\NoPermission
 	 */
-	public static function ajax_change_acl($ids, $rights=null)
+	public static function ajax_change_acl($ids, $rights=null, $values = array())
 	{
 		try {
 			foreach((array)$ids as $id)
@@ -349,13 +350,23 @@ class admin_acl
 
 				$acl = $GLOBALS['egw']->acl;
 
-				if (!(int)$rights)	// this also handles taking away all rights as delete
+				$right_list = Api\Hooks::single(array('location' => 'acl_rights'), $app);
+				$current = (int)$acl->get_specific_rights_for_account($account_id,$location,$app);
+				foreach($right_list as $right => $name)
 				{
-					$acl->delete_repository($app, $location, $account_id);
-				}
-				else
-				{
-					$acl->add_repository($app, $location, $account_id, $rights);
+					$have_it = !!($current & $right);
+					$set_it = !!($rights & $right);
+					if($have_it == $set_it) continue;
+					$data = array(
+						'allow' => $set_it,
+						'account' => $account_id,
+						'app' => $app,
+						'location' => $location,
+						'rights' => (int)$right
+						// This is the documentation from policy app
+					)+(array)$values['admin_cmd'];
+					$cmd = new admin_cmd_acl($data);
+					$cmd->run();
 				}
 			}
 			if (!(int)$rights)
@@ -428,7 +439,7 @@ class admin_acl
 		// Set this so if loaded via preferences, js is still properly
 		// loaded into global app.admin
 		$GLOBALS['egw_info']['flags']['currentapp'] = 'admin';
-		
+
 		$tpl->exec('admin.admin_acl.index', $content, $sel_options, array(), array(), 2);
 	}
 

admin/inc/class.admin_cmd_acl.inc.php

@@ -0,0 +1,117 @@
+<?php
+/**
+ * EGroupware admin - admin command: give or remove run rights from a given account and application
+ *
+ * @link http://www.egroupware.org
+ * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
+ * @package admin
+ * @copyright (c) 2007-16 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
+ * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
+ * @version $Id$
+ */
+
+use EGroupware\Api;
+
+/**
+ * admin command: give or remove run rights from a given account and application
+ */
+class admin_cmd_acl extends admin_cmd
+{
+	/**
+	 * Constructor
+	 *
+	 * @param boolean|array $allow true=give rights, false=remove rights, or array with all params
+	 * @param string|int $account =null account name or id
+	 * @param array|string $app =null app-name
+	 * @param string $location =null ACL location.  Usually a user or group ID, but may also be any app-specific string
+	 * @param int $rights =null ACL rights.  See Api\ACL.
+	 */
+	function __construct($allow,$account=null,$app=null,$location=null,$rights=null)
+	{
+		if (!is_array($allow))
+		{
+			$allow = array(
+				'allow' => $allow,
+				'account' => $account,
+				'app' => $app,
+				'location' => $location,
+				'rights' => (int)$rights
+			);
+		}
+
+		// Make sure we only deal with real add/remove changes
+
+		admin_cmd::__construct($allow);
+	}
+
+	/**
+	 * give or remove run rights from a given account and application
+	 *
+	 * @param boolean $check_only =false only run the checks (and throw the exceptions), but not the command itself
+	 * @return string success message
+	 * @throws Api\Exception\NoPermission\Admin
+	 * @throws Api\Exception\WrongUserinput(lang("Unknown account: %1 !!!",$this->account),15);
+	 * @throws Api\Exception\WrongUserinput(lang("Application '%1' not found (maybe not installed or misspelled)!",$name),8);
+	 */
+	protected function exec($check_only=false)
+	{
+		$account_id = admin_cmd::parse_account($this->account);
+
+
+		list($app) = admin_cmd::parse_apps(array($this->app));
+		$location = $this->location;
+		$rights = (int)$this->rights;
+
+
+		$old_rights = (int)$GLOBALS['egw']->acl->get_specific_rights_for_account($account_id, $location, $app);
+		$new_rights = $old_rights + (($this->allow ? 1 : -1) * $rights);
+
+		$this->set = $new_rights;
+		$this->old = $old_rights;
+		if ($check_only) return true;
+
+		//echo "account=$this->account, account_id=$account_id, apps: ".implode(', ',$apps)."\n";
+		admin_cmd::_instanciate_acl($account_id);
+
+		if ($new_rights)
+		{
+			admin_cmd::$acl->add_repository($app,$location,$account_id,$new_rights);
+		}
+		else
+		{
+			admin_cmd::$acl->delete_repository($app,$location,$account_id);
+		}
+		return lang('Applications run rights updated.');
+	}
+
+	/**
+	 * Return a title / string representation for a given command, eg. to display it
+	 *
+	 * @return string
+	 */
+	function __tostring()
+	{
+		$rights = $this->rights;
+		$location = $this->location;
+
+		$names = Api\Hooks::single(array(
+			'location' => 'acl_rights'
+		), $this->app);
+		if($names[$rights])
+		{
+			$rights = lang($names[$rights]);
+		}
+
+		if(is_numeric($this->location))
+		{
+			$location = admin_cmd::display_account($this->location);
+		}
+		return lang('%1 %2 rights for %3 on %4 to %5',
+			$this->allow ? lang('Grant') : lang('Remove'),
+			$rights,
+			admin_cmd::display_account($this->account),
+			$this->app,
+			$location
+		);
+	}
+}

admin/js/app.js

@@ -505,6 +505,7 @@ app.classes.admin = AppJS.extend(
 		var className = app+'_acl';
 		var acl_rights = {};
 		var readonlys = {acl: {}};
+		var modifications = {};
 
 		// Select options are already here, just pull them and pass along
 		sel_options = et2.getArrayMgr('sel_options').data||{};
@@ -585,8 +586,7 @@ app.classes.admin = AppJS.extend(
 			this.egw.link_title('api-accounts', content.acl_location, function(title) {sel_options.acl_location[content.acl_location] = title;});
 		}
 
-		// Create the dialog
-		this.acl_dialog = et2_createWidget("dialog", {
+		var dialog_options = {
 			callback: jQuery.proxy(function(_button_id, _value) {
 				this.acl_dialog = null;
 				if(_button_id != et2_dialog.OK_BUTTON) return;
@@ -649,7 +649,7 @@ app.classes.admin = AppJS.extend(
 								.sendRequest();
 						}
 					}
-					this.egw.json(className+'::ajax_change_acl', [id, rights], callback ? callback : this._acl_callback,this,false,this)
+					this.egw.json(className+'::ajax_change_acl', [id, rights, _value], callback ? callback : this._acl_callback,this,false,this)
 						.sendRequest();
 				}
 			},this),
@@ -658,10 +658,29 @@ app.classes.admin = AppJS.extend(
 			value: {
 				content: content,
 				sel_options: sel_options,
+				modifications: modifications,
 				readonlys: readonlys
 			},
 			template: egw.webserverUrl+'/admin/templates/default/acl.edit.xet'
-		}, et2_dialog._create_parent(app));
+		};
+
+		// Handle policy documentation tab here
+		if(this.egw.user('apps').policy)
+		{
+			dialog_options['width'] = 550;
+			dialog_options['height'] = 350,
+			modifications.tabs = {
+				add_tabs:   true,
+				tabs: [{
+					label:    egw.lang('Documentation'),
+					template: 'policy.admin_cmd',
+					prepend:  false
+				}]
+			};
+		}
+
+		// Create the dialog
+		this.acl_dialog = et2_createWidget("dialog", dialog_options, et2_dialog._create_parent(app));
 	},
 
 	/**

admin/templates/default/acl.edit.xet

@@ -2,7 +2,7 @@
 <!DOCTYPE overlay PUBLIC "-//EGroupware GmbH//eTemplate 2//EN" "http://www.egroupware.org/etemplate2.dtd">
 <!-- $Id$ -->
 <overlay>
-	<template id="admin.acl.edit" template="" lang="" group="0" version="1.9.001">
+	<template id="admin.acl.edit.acl" template="" lang="" group="0" version="1.9.001">
 		<grid>
 			<columns>
 				<column/>
@@ -49,4 +49,14 @@
 			</rows>
 		</grid>
 	</template>
+	<template id="admin.acl.edit" template="" lang="" group="0" version="1.9.001">
+		<tabbox id="tabs" class="et2_nowrap" span="all" width="100%" tab_height="250px">
+			<tabs>
+				<tab id="acl" label="Access" statustext="Access"/>
+			</tabs>
+			<tabpanels>
+				<template id="admin.acl.edit.acl"/>
+			</tabpanels>
+		</tabbox>
+	</template>
 </overlay>